Hong Kong gives crypto platforms one year to ditch one-time passwords or cover user losses

Summary

Hong Kong’s regulator has ordered licensed crypto platforms and internet brokers to stop using one-time passwords for client logins and device registration by July 8, 2027. These actions must instead use phishing-resistant authentication, such as passkeys or robust device binding with an added factor like biometrics or a password. OTPs can still be used for other purposes. The rules take effect immediately for fraud controls: firms must strengthen client alerts, account monitoring, surveillance, and incident response now, and suspend or restrict accounts as soon as fraud is suspected. Large internet brokers should adopt the stronger methods immediately, while other firms have 12 months to implement them. Existing device bindings do not need to be re-done. The move follows 2025 phishing scams that used fake broker and regulator messages to steal credentials and OTPs, enabling account hijacking and fund theft. Senior managers are ultimately responsible for rollout, and firms may be liable if weak controls fail to stop unauthorized transfers.